Lecture Note#7: Establishing Effective Internal Control Environment

ACT1110 _1st Semester 2021-2022

Establishing an Effective Internal Control Environment

SOURCE: BY ISAAC CLARKE (PARTNER | CPA, CISA, CISSP)  ON MARCH 24, 2020

Organizations flourish when they establish control environments that foster the efficient
execution of operations. When done properly, good internal controls help organizations
deliver value to their stakeholders and achieve their strategic objectives while aligning
with industry best practices, laws, and regulations to manage risks facing them. This
blog will help you understand 1) what a control environment is, 2) the important role
internal control plays within the control environment, 3) how to design and implement
internal control within your organization, and 4) how to assess the effectiveness of your
control environment.

What is the Internal Control Environment of a Company?

The Institute of Internal Auditors control environment definition states that the control

environment is the “foundation on which an effective system of internal control is built
and operated in an organization that strives to (1) achieve its strategic objectives, (2)
provide reliable financial reporting to internal and external stakeholders, (3) operate its
business efficiently and effectively, (4) comply with all applicable laws and regulations,
and (5) safeguard its assets.”
A control environment is made up of a compilation of an entity’s organizational
structure, processes, policies, and standards that are utilized to maintain control across
the organization. The board of directors and executive management of a business
establish the company culture and attitude regarding the importance of maintaining
controls and set the expectations of standards of conduct within the organization—often
referred to as “the tone at the top.”
What are the elements of the control environment? They include:

1. Demonstrating a commitment to Integrity and Ethical Values

2. Maintaining the independence of the board of directors from management and
their oversight of the entity’s internal control
3. Establishing organizational structure, reporting lines, authority, and
responsibilities to pursue business objectives
4. Demonstrating a commitment to attract, develop, and maintain competent
people
5. Maintaining accountability for the execution of internal control responsibilities

Why is it Important to Have Strong Internal Control?

1
Lecture Note#7: Establishing Effective Internal Control Environment
ACT1110 _1st Semester 2021-2022

A failure to have internal controls in place results in front-page news stories that no
company wants to be a part of. Enron, Worldcom, and Equifax are a few examples of
organizations that made news headlines due to a lack of internal control. Similarly, there
are dozens of cases each year of companies who privately lose millions of dollars due to
control failures, fraud, and misconduct.
All of these outcomes are the result of a weak internal control system and highlight the
importance of internal control to the success of an organization. Having a strong internal
control environment can provide management and stakeholders reasonable assurance
that the organization is operating in accordance with company policies, industry
standards, and regulatory requirements.
 

What Are the Five (5) Components of Internal Control?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

defines internal control as “a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives.”
There are five key components of internal control (sometimes referred to as the
principles of internal control) that include the following:

1. Control Environment—is a set of standards, structures, and processes that

provide the foundation for performing internal control within the entity
2. Risk Assessment—is a process used to identify (on an iterative basis), assess,
and manage risks to the achievement of the entity’s objectives
3. Control Activities—are actions performed under the direction of management,
as directed by an entity’s policies and procedures, to mitigate the risks to the
achievement of the entity’s objectives
4. Information and Communication—is the distribution of information needed
to perform control activities and to understand internal control responsibilities
to personnel internal and external to the entity
5. Monitoring Activities—are ongoing evaluations of the implementation and
operation of the five (5) components of internal audit

2
Lecture Note#7: Establishing Effective Internal Control Environment
ACT1110 _1st Semester 2021-2022

How Can You Implement Internal Control?

Like any process, the order of actions taken matters when implementing an internal
control environment. Just as you cannot construct the roof or top floor of an office
building without completing the foundation and lower levels, an organization cannot
skip steps in designing, implementing, operating, and monitoring its internal control
framework.

Internal Control Environment

Each organization must start by establishing its internal control environment. It has
been said that five things are needed to successfully effect change—vision, skills,
incentives, resources, and a plan. Efforts to change without a vision create confusion.
Experience has shown that a lack of skills, incentives, resources, or a plan will result in
anxiety, resistance, frustration, and failure.
Interestingly, when it comes to implementing or improving internal control within an
organization, the control environment is a pervasive factor that impacts all of the other
aspects of internal control. Consequently, a poor “tone at the top” by the board of
directors or executive management will likely hinder or damage the other components
of internal control.

Internal Control Risk Assessment

The next step in the design and implementation of internal control for an organization is
to identify and analyze threats or risks to the achievement of the entity’s objectives. Our
blog post on Risk Management describes the risk assessment component of internal
control in greater detail. This is an iterative process that should be performed at least
annually if not sooner when significant changes occur to the organization, its industry,
or the regulatory environment.

Control Activities

Risks that management determines that the entity must mitigate in order to achieve its
objectives are addressed by control activities. This is a critical element of internal
control. Through policies and procedures, control activities or actions are put into place
to address those risks.
Control activities can be any number of actions within an organization and are
categorized by type and nature. They should be specific actions that can be observed
and documented for future inspection or re-performance by a third-party. Please see
our blog post on the different types of controls for additional detail. This will give you
examples of internal controls that you might consider implementing in your
organization.

3
Lecture Note#7: Establishing Effective Internal Control Environment
ACT1110 _1st Semester 2021-2022

It is important that an organization use a risk-based approach in designing its control

activities or internal control framework. This means that controls are designed to
address the risk factors identified in its internal risk assessments rather than using a
pre-defined control list. While some frameworks are widely accepted (such as COSO’s
internal control framework), each organization is different and faces different
challenges. This requires that an organization customize even the best framework to
align with its needs.

Information and Communication

It is critical that personnel within the organization understand their responsibilities for
internal control. This is best achieved when individuals can relate the impact that their
activities have on the achievement of the business’ goals and objectives. This
communication should be an ongoing process. Organizations with truly effective
internal control provide training to personnel on a regular basis, keep current policies
and procedures available to personnel, and communicate other critical information in a
timely manner via company meetings or emails as needed.

Monitoring Activities

Monitoring activities consist of continual evaluations of the implementation and

operation of the five (5) components of an internal audit. Findings should be evaluated
against criteria established by the board of directors, management policies, industry
standards, and regulators. Deficiencies should be communicated to management and
board of directors, as needed. Management should follow-up on these items through
resolution.
Monitoring activities may extend beyond the borders of an organization. Such as with
service providers whose services may impact their clients’ internal controls over
financial reporting. For example, the American Institute of Certified Public Accounts’ 
(AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, which
replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017, emphasizes the
importance of service providers monitoring controls at subservice organizations. Click
here for a summary of the changes caused by the implementation of SSAE 18.

How Can You Assess Your Control Environment?

I am a firm believer in the adage that “you get what you measure.” I have met with some
organizations that consider their annual audit to be that measuring stick. If you find
yourself in that boat, it is time to change course.
A strong internal audit and/or compliance function is critical to assessing and
maintaining your control environment. Personnel with the experience and skill-sets
specific to your organization should be secured. If that is not possible, external entities
should be engaged periodically to assess the environment to provide management with
an accurate picture of the organization’s control environment. Please see our blog
discussing the value of internal auditors.
The types and means for assessing a control environment are many and vary from one
organization to another and from one industry to another. Many organizations are
assessed due to regulatory requirements. Such as public companies subject to the 
Sarbanes-Oxley Act that requires them to have an integrated audit performed each
year. Some service organizations’ clients require them to obtain a SOC 1 or SOC
2 report annually to provide assurance to their clients regarding their control

4
Lecture Note#7: Establishing Effective Internal Control Environment
ACT1110 _1st Semester 2021-2022

environment as it pertains to internal controls over financial reporting or the service

providers’ overall security. Similarly, some health care providers are required to
receive HIPAA assessments or a HITRUST certification annually.
 

How Can Your Control Environment Be Improved?

The purpose of assessing an organization’s control environment is to identify

weaknesses within their environment so that they can be strengthened.
What is a strong control environment?
The answer to this question is a moving target. A control environment that may be
considered strong for a small startup may be inadequate for a Fortune 500 company. As
an organization grows and its environment changes, it must adjust to address new risks
or threats. I guess you could say that obtaining and maintaining a strong control
environment is a journey and not a destination.
You can improve your organization’s control environment by following the iterative
process within the internal control framework or process.

1. Assess the risks threatening the company’s ability to achieve its business
objectives or services commitments. These may be identities through a formal
risk assessment or from monitoring control activities performed by the
organization.
2. Identify new controls or how to modify existing control activities to mitigate the
risks.
3. Design and communicate control changes to personnel responsible for
implementing, performing, or reviewing the related activities.
4. Implement the control changes.
5. Monitor control activities throughout the organization to determine the
effectiveness of their operation and the outcomes from their execution.

Once the process cycle has been performed, it is repeated beginning with the
assessment. Ideally each time through the process the control environment improved
and strengthened.

Conclusion

Organizations that establish effective control environments can improve their efficiency
in delivering value and achieving its strategic objectives. I hope this has helped you
understand what a control environment is, the important role internal control plays
within the control environment, and how to design, implement, and assess your own
internal control framework

5
Lecture Note#7: Establishing Effective Internal Control Environment
ACT1110 _1st Semester 2021-2022